Home » Cybersecurity » Threats & Breaches » Vulnerabilities » Nexus Intelligence Insights Sonatype-2017-0312: jackson-databind, The End of the Blacklist

Nexus Intelligence Insights Sonatype-2017-0312: jackson-databind, The End of the Blacklist

by Elisa Velarde on October 10, 2019

For our October Nexus Intelligence Insight we will return to a very popular component that has been both a blessing and a curse to developers around the world. We’ll cover a fundamental change to a default setting and how that change in ‘type’ may impact the security of your next open source project.

Before you read this post, you may want to review the ongoing issue with jackson-databind and Sonatype’s remediation guidance as a result.

Name of Vulnerability: Sonatype-2017-0312

Associated CVEs: CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, sonatype-2019-0371, and CVE-2019-16335.

Sponsorships Available

Type of Vulnerability: Deserialization leading to Remote Code Execution (RCE)

Component Name: `com.fasterxml.jackson.core:jackson-databind`

Versions Affected: (2.10.0)

Criticality/CVSS Metrics: 8.5 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Vulnerability Description:

For those who’d prefer a summary, the attack vector for this vulnerable component lies in the deserialization of untrusted data from improperly validated objects being provided as an input to an application. Should an attacker be able to influence the serialized object data and inject malicious code or logic into it, that code could wreak havoc in the application environment upon deserialization – from seemingly benign crashes to remote code execution to a total system compromise.

As mentioned in the previous post, Databind addressed the multiple deserialization vulnerabilities by using a “blacklist” approach, meaning the objects of restricted subtypes were not to be processed by the component for deserialization.

Blacklist approach:

The String-Set “s” maintains a list of “nasty classes” which are known to cause security issues and are restricted from being deserialized.

Blacklist approach JDB

Incomplete fix which further added “more classes” to the same blacklist: Incomplete fix JBD

Consequently, the Sonatype data research team concluded all such “fixes” as partial or incomplete.

To reduce the scan noise for our (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Elisa Velarde. Read the original post at: https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist

October 10, 2019October 10, 2019 Elisa Velarde deserialization, FEATURED, jackson databind, Nexus Intelligence Insights, Remote Code Execution, Vulnerabilities

Nexus Intelligence Insights Sonatype-2017-0312: jackson-databind, The End of the Blacklist

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Daniel Stori’s ‘WC’